Penetration Testing mailing list archives
Re: [PEN-TEST] Legal aspect of Pen-Test
From: "Thompson, Stephen" <stephen () FISHNETSECURITY COM>
Date: Thu, 5 Oct 2000 16:26:54 -0500
here is a copy of a legal document that we use for Pen-Test liability avoidance. It is based on a document that is used by and was forwarded to us by the FBI. It (attached) is in Microsoft Word 2000 format. here it is in Text: Release and Authorization During the course of the investigation, there may be several procedural points that the client must be aware of including: · The Investigator may employ the same methods and tools of known computer aided pranksters, vandals, criminals, terrorists and foreign agents during the course and conduct of this security audit. · These methods may also include impersonation of authorized personnel through "social engineering" for information gathering via telephone, e-mail, or other electronic means that are limited to the client’s immediate personnel and network. · These methods, when used without authorization and permission of the organization they are being employed against, may constitute a violation of state and possibly federal criminal codes. · Although no damages or disruptions to the client’s activities or systems are anticipated as a result of this exercise, there is a very small but real possibility that such damages and disruptions could occur. The client shall hold the Investigator faultless and not legally, morally, or monetarily liable for any such damages or disruptions. · If the exercise appears to be causing a real or suspected disruption to the client’s activities, operations, or production systems, the Investigator will immediately halt the exercise. Due to the sensitive nature of this scope of work, it is imperative that the client must understand the associated risks. As a precaution, Fishnet has prepared a stringent protocol for guaranteeing the success of this investigation. Included in this document is a Guarantee of Confidentiality and Consideration that is being provided to outline the precautions being used. It is also requested that the client provide an indication of the understanding and acceptance of these risks and precautions. I understand that at no time will the Investigator divulge any information regarding the details of the investigation or evidence collected to any third party other than what has been specified within this document, without the explicit written authorization of the primary contact and authorizing agent. I also understand that the investigator will provide full and complete disclosure of all information gathered, including copies of data and evidences, and reports created by the investigator. I understand that the investigator will keep the organization informed of all activities, operations, and proceedings of the investigation. I understand that the investigator normally reserves the right to keep copies of reports generated for administrative, archival, and training purposes. I understand that this information is only used in-house and will not be divulged to any third party. I understand that if I wish for the investigator to not maintain copies of evidences gathered during the investigation, it must be specified in the Scope of Services Requested section of this document. As an authorized agent for the client, I do hereby grant the investigator permission to perform research, make recommendations, and follow the course of action requested by the scope of services listed here. X (Signature of authorized representative for the client and date) -----Original Message----- From: Pascal Longpre [mailto:longprep () HOTMAIL COM] Sent: Thursday, October 05, 2000 2:35 PM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Legal aspect of Pen-Test Hi, Does anyone has a template or an example of what a legal Pen-Test contract looks like, so the security firm is covered in the case where: - The Pen-Tester get traced and the police knocks at his door - The Pen-Tester is beleived to have cause damage to the customer equipment or data during the penetration. - the customer has followed the security firm's advices and implemented the required security mesures but is hacked a few days after. - Any other problem that can arise from the security firms activities I'm looking for the legal stuff or ideas of what it might include. Regards Pascal _________________________________________________________________________ Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com. Share information about yourself, create your own public profile at http://profiles.msn.com.
Attachment:
Request_for_Services.doc
Description:
Current thread:
- [PEN-TEST] Legal aspect of Pen-Test Pascal Longpre (Oct 05)
- Re: [PEN-TEST] Legal aspect of Pen-Test Steve Goldsby (Oct 05)
- <Possible follow-ups>
- Re: [PEN-TEST] Legal aspect of Pen-Test Thompson, Stephen (Oct 05)